Future of computers, software and related issues by Dr Patrick Dixon. For his MAIN site ( articles / free books / presentations / videos) see link on left to www.globalchange.com (10 million unique visitors)

Wednesday, December 13, 2017

The truth about cyberattacks - and how to protect your business as well as personal life

What happens when you combine Robotics, Artificial Intelligence, theInternet of Things, Big Data and Cloud Computing, to the world of banking, telcos, mobile devices and personal computers?

The answer is the you get the biggest target for criminals that the world has ever seen - all waiting online to be attached and exploited in a billion different ways using little more than a couple of computers, owned by very smart geeks.

Never in human history has it been possible for one person, sitting in a bedroom at home in a distant land, to create such havoc and chaos, to seize such power.

Cyber-crime will therefore be one of the greatest threats to our world over the next 50 years, and far beyond, into centuries to come.

There is no way back from such a future, except by dismantling all the global e-systems that link us increasingly together.

As I predicted many years ago, and have spoken about since in many keynotes on cybersecurity and related issues, every large company in the world is now experiencing frequent cyber-attacks, on their own systems or in the cloud, whether they realize or not.

Cyberattacks already cost business over $300 billion a year

The Centre for Strategic and International Studies has estimated total cost to business to be around $300bn a year.

Losses are likely to be more than $1 trillion a year by 2025, especially if we see wide-scale attacks, sponsored by hostile governments.

We are not just talking about attacks on traditional targets like bank websites, but also commercial aggression like the blackmail of Sony, after the company released a controversial film about North Korea.

There is nothing new about web abuse. At least 80% of the 247 billion emails sent every day are spam, many of them so-called phishing attacks, pretending to be from a bank, encouraging people to enter passwords.

Expect 10 billion separate attacks a year

Macafee is already detecting over 600 million new and different computer viruses, malware or Trojan horses every year – several a second.

Pharma, chemicals, mining, electronics and agricultural companies are seeing increases of 600% a year in malware attacks.

Energy, oil and gas attacks are growing by 400%.Attempts to steal data from retailers are doubling every 12 months.

In many cases, tens of millions of credit card details have been stolen. Target lost data on 70 million people in a single attack.

A single contractor in South Korea managed to steal personal information on 20 million credit card users, more than half the country’s working population.

Two years previously, personal data on 35 million South Koreans was stolen from Cyworld, a popular social network.

3 billion people’s personal details have been stolen

Similar attacks have happened across the world.Hackers recently stole personal details of 213 million eBay users.Sony lost 100 million client’s details to a hacker.The Heartbleed bug caused huge damage in 2014 as it swept globally, invading websites of many multinationals, retailers, banks and email companies.

Another example was a major attack on JP Morgan Chase – following a sustained assault with tens of thousands of separate attacks each day over many months, mostly traced to Russia.76 million names, addresses, telephone numbers and email addresses were stolen – affecting two thirds of all households in America.

Most attacks are reported very late, some not at all, and many are never noticed of course.

Yahoo admitted in 2017 that 3 billion accounts were hacked back in 2013, triple the previous estimate they had given.

Why hackers will often escape prosecution if caught

I have met bankers who don’t prosecute or even sack staff who hack into their own bank systems.

“Just thought you should know…. Of course I should probably leak the news or publish the account names.”

Terrified of bad publicity, they pay them off, give them a wonderful reference, and let them go and work for a competitor – where exactly the same thing is likely to happen again.

There is no legal requirement in most countries for any bank to report when they have been hacked and data lost, which means that most attacks will never be known, and the true scale is far larger than most people think.

Even the most basic bank security can be pitifully weak.

I remember shortly before spending a day advising the board of a Swiss bank, I decided to carry out a test of my own. Without being challenged, I managed to walk right into a high-security area using the oldest tricks in the book: distracting reception staff, and gently pulling apart sliding security doors with my fingers.

Large corporations will be forced to encrypt stored data

All IT and smartphone companies will step up personal security with end to end encryption during data transmission, and encryption of all data “at rest” stored on servers.

It is really shocking that most banks in some nations still do not encrypt data on their servers, so once a hacker gains entry, which they do in every large bank several times a year, they usually have no trouble at all reading files.

It was very careless of Sony to allow hackers to so easily read all their archived emails, contracts and other documents. Best practice will mean universal encryption.

Customers will be urged to set up two step authentication, with confirmation of passwords using codes sent to mobile devices. As a result, expect dramatic growth in attacks on telco companies and all mobile devices, to try to hack into SMS and intercept these codes. In 2014, such attacks grew more than a hundred times over the previous year.

Cyberwar - a new kind of Cold War

Expect many more significant large-scale cyber attacks against nations and groups of enterprises over the next two decades, often directed by criminal gangs rather than government staff, paid for by secret agents of other countries.

The largest of these attacks are likely to form part of next-generation conflicts / disputes between nations, paralysing entire government agencies for days, causing major disruption to banking and telecommunications, damaging utilities such as power stations or parts of the national grid.

It is already happening: for example, a blast furnace in a steel mill was hit by hackers in Germany recently, causing parts of the plant to fail. But for understandable reasons, most successful attacks on major installations will be kept strictly secret, in the national interest.

Cyberattacks on international data cables, people, companies and nations

Cyber-attacks are easy to carry out on physical web infrastructure too.

For example, most bandwidth in the world is carried on a few, very vulnerable, fibre-optic cables. Cutting them is very easy – all you have to do is drag a ship’s anchor along a sea bed to snag them. And it is very hard to detect what ship did it, especially in relatively busy shipping areas.

Recent cable damage reduced web access in India by 70%, Egypt by 60%, with many other nations affected in the Middle East. In another episode, divers were arrested off the coast of Egypt in the act of sabotage.

For all these reasons, Nato includes cyberattacks as one of the events which could trigger a joint response by the Alliance.

Nations like the UK are very vulnerable since the exact points are well known on maps, where huge data cables run from shallow sea water into the shoreline.

Using mini-submersibles like those the BBC hired to film Blue Oceans II, it is easy to track all data cables into deep ocean, and a work of minutes to cut such them.

However, it will be almost impossible to prove who is really behind such attacks, and therefore impossible to retaliate effectively.

The US Navy is being hit on a routine basis by over 100,000 separate online attacks every hour, according to Hewlett Packard. But from where and by whom and for what purpose?

Sometimes digital debris is left by accident which gives clues about origin – for example naming a piece of code, deeply encrypted inside a complex virus, after a popular TV comedian in a particular country.But subtle clue-dropping can also be a deliberate decoy, used by secret services or gangs to cast blame on an innocent nation.

Viruses designed to control entire countries

It targeted a wide range of industrial control systems, national grids, power stations, wind turbines, biomass fuel plants.

It was designed to monitor energy use in real time and to disable systems on command – but on whose command?

Future energy viruses will target smart grids and smart homes – imagine the impact for example, if a hacker from a hostile state or group could turn on 15 million air conditioners simultaneously, causing instant power cuts.

A few weeks after discover of Energetic Bear, Russian telecom and health companies, utilities and government agencies discovered that they too had been hit by one of the most deadly and sophisticated clusters of viruses ever created, called Regin.

The cluster was designed with multiple Apps, to steal passwords, extract information on a huge range of systems, and take total control of many different types of industrial equipment.

“Digital bombs” inside large organisations

In many cases, it turned out that the viruses had been working away for up to 6 years without detection, despite every check. The viruses were constantly listening online for a single command to detonate tens of thousands of digital “bombs” across every part of the nation.

It has been reported that Russia is now so anxious about American penetration, that security agencies are using printed paper for ultra-sensitive communications. The Chinese meanwhile are building a quantum computing link between Beijing and Shanghai, which they hope will lock out foreign surveillance.

In 2007, Estonia banks, Government agencies, Parliament, broadcasters and newspapers were also hit by three weeks of cyber-attacks which completely paralysed their web capabiliites. These followed a disagreement with Russia, though responsibility was never proven.

So we will see huge investment in cyber-resilience, by governments, banks, stock exchanges and utility companies in particular, in the wealthiest nations, but smaller nations will remain very vulnerable.

At least a quarter of all attacks will be espionage – directed at stealing state secrets or corporate research which has yet to be patent protected.

Hackers will be recruited by spies and gangs

Expect growing numbers of full-time professional hackers, operating as independent consultants to criminal gangs and secret services, offering services in combination with others to plan major attacks.

In many cases, these hacking geniuses will never realize who the end client really is. They may think they are working for MI6 in the UK for example, but are actually working for a Bulgarian gang, which is assisting Russian Federal Security Services, or for the CIA or Mossad.

Many attacks will be multidimensional in future. So a large scale identity theft takes place a couple of hours before a vital payment channel is hacked, to create new PIN numbers. Minutes later, two hundred people with cloned cash cards start withdrawing cash from ATMs in over 50 cities.

Hackers will be turned against other hackers

Expect a radical rethink about what on earth to do with convicted hackers: people with proven genius in cracking open systems, who may well be the best people in the world to test your own security, and help improve it.

Do we really want to waste their lives locked up in prison?

Some hackers will be offered rewards by governments to attack and destroy the dark web.

The aim will be to identify many millions of users of Tor web browsers (these are like normal web browsers, but prevent ANYONE monitoring your web activity), and users of other “secret” tools: people who want to keep their activities and payments 100% secret.

Over 400 dark websites were closed in 2014 alone, including sites which sell illegal drugs, illegal arms deals, assassinations of spouses or politicians, and every kind of depravity.

However, many dark web users in future will simply be trying to evade “oppressive” state snooping – particularly in countries like Russia or China where web controls have become severe. Use of Tor in Russia leapt from 60,000 to over 200,000 people in just a couple of months following the seizure of Crimea.

Looking for a cybersecurity keynote speaker? Patrick Dixon has given keynotes for over 400 of the world's largest corporations and to governments on a wide range of digital issues including cybersecurity, how to prevent cyberattacks, how to detect cyberattacks and related matters.